Confused by Defense cyber threat alerts? A translation is on the way

By Aliya Sternstein

October 19, 2012

An expanded information-sharing program will potentially allow more than 2,600 defense suppliers access to top-secret Pentagon communications with select companies about indications of cyber threats, partly by adding context understandable to a wider audience, officials with the contractor responsible for the ramp-up say.

The defense industrial base collaboration initiative started as a pilot program during summer 2011. In May, the Pentagon allowed the whole industry to join. Participants receive disclosures when the military detects signs of unfolding malicious campaigns so that their in-house technical teams can take protective measures. The Defense Department also distributes reports about breaches participating companies have suffered, after deleting identifying information to avoid exposing the weaknesses of competitors.

Around the time the initiative began ramping up, the General Services Administration signed a deal with Lockheed Martin Corp. worth up to $454 million for help running the Defense Cyber Crime Center, or DC3, which operates the program.

“One of our primary focuses is – ‘How do we help the government scale?’ ” said Rohan Amin, Lockheed’s program director for DC3. “Going from a small number of companies to a large number of companies is a very big problem.”

To facilitate growth, the firm is modifying communication procedures by, for example, explaining threat intelligence in a way that any military contractor, regardless of practice area, can grasp.

The program will contextualize the data using a technique Lockheed honed to protect its own business systems and its customers’ systems. The process dissects an intruder’s attack plan into a series of actions, taken over a period of time, that are intended to achieve an ultimate goal -- for instance, obtaining drone designs from a defense contractor’s network. Analysts then devise a corresponding response for each action that, if applied along any point in the chain, can foil the crook’s plan.

“DC3 has adopted that framework to enhance its information sharing,” Amin said, referring to the breakdown of the attack path, or “cyber kill chain.”

Critics of the industrial base program are skeptical that the intelligence gained is any better than what companies already know from their commercial cybersecurity providers.

Amin responded that, from Lockheed’s perspective, the information-sharing endeavors “are of value, but like any cybersecurity tool, nothing is ever going to be a silver bullet for solving all problems.”

One unique benefit for the contractor is the ability to compare incidents happening elsewhere in industry and government with its own experiences. “If you see that you have periods where things are quiet,” but others in the same sector are experiencing network irregularities, “that may cause you to think through if there are things you are missing,” Amin said. He added that the most sophisticated adversaries move without being detected by commercial cybersecurity services.

Defense on Sept. 24 announced a one-year renewal of a separate agreement with Booz Allen Hamilton worth up to $10 million for hardware and software that transmits the threat alerts.

There is discussion of establishing similar classified exchanges with other sectors critical to daily life, such as water utilities and financial institutions. The Homeland Security Department could offer these critical sectors entry into a facility called the National Cybersecurity and Communications Integration Center that already circulates top secret warnings about threats, Seán McGurk, a former DHS official who launched the center, said on Sept. 29.

“We started the capability -- and now we need to advance that capability and we need to extend it” beyond the currently six or seven active industries, he added.

Amin said “those other critical sectors are being looked at by DHS,” but DC3 is not directly involved in the conversations.